sinatra/rack-protection/lib/rack/protection.rb

require 'rack/protection/version'
require 'rack'

module Rack
  module Protection
    autoload :AuthenticityToken, 'rack/protection/authenticity_token'
    autoload :Base,              'rack/protection/base'
    autoload :EscapedParams,     'rack/protection/escaped_params'
    autoload :FormToken,         'rack/protection/form_token'
    autoload :FrameOptions,      'rack/protection/frame_options'
    autoload :HttpOrigin,        'rack/protection/http_origin'
    autoload :IPSpoofing,        'rack/protection/ip_spoofing'
    autoload :JsonCsrf,          'rack/protection/json_csrf'
    autoload :PathTraversal,     'rack/protection/path_traversal'
    autoload :RemoteReferrer,    'rack/protection/remote_referrer'
    autoload :RemoteToken,       'rack/protection/remote_token'
    autoload :SessionHijacking,  'rack/protection/session_hijacking'
    autoload :XSSHeader,         'rack/protection/xss_header'

    def self.new(app, options = {})
      # does not include: RemoteReferrer, AuthenticityToken and FormToken
      except = Array options[:except]
      use_these = Array options[:use]
      Rack::Builder.new do
        use ::Rack::Protection::RemoteReferrer,   options if use_these.include? :remote_referrer
        use ::Rack::Protection::AuthenticityToken,options if use_these.include? :authenticity_token
        use ::Rack::Protection::FormToken,        options if use_these.include? :form_token
        use ::Rack::Protection::FrameOptions,     options unless except.include? :frame_options
        use ::Rack::Protection::HttpOrigin,       options unless except.include? :http_origin
        use ::Rack::Protection::IPSpoofing,       options unless except.include? :ip_spoofing
        use ::Rack::Protection::JsonCsrf,         options unless except.include? :json_csrf
        use ::Rack::Protection::PathTraversal,    options unless except.include? :path_traversal
        use ::Rack::Protection::RemoteToken,      options unless except.include? :remote_token
        use ::Rack::Protection::SessionHijacking, options unless except.include? :session_hijacking
        use ::Rack::Protection::XSSHeader,        options unless except.include? :xss_header
        run app
      end.to_app
    end
  end
end
initial commit 2011-05-23 10:07:54 +02:00			`require 'rack/protection/version'`
			`require 'rack'`

			`module Rack`
			`module Protection`
			`autoload :AuthenticityToken, 'rack/protection/authenticity_token'`
			`autoload :Base, 'rack/protection/base'`
			`autoload :EscapedParams, 'rack/protection/escaped_params'`
			`autoload :FormToken, 'rack/protection/form_token'`
			`autoload :FrameOptions, 'rack/protection/frame_options'`
Use HTTP Origin by default 2012-01-30 15:57:25 +07:00			`autoload :HttpOrigin, 'rack/protection/http_origin'`
add IP spoofing protection 2011-06-20 09:16:03 +02:00			`autoload :IPSpoofing, 'rack/protection/ip_spoofing'`
add JSON CSRF protection 2011-06-19 15:26:39 +02:00			`autoload :JsonCsrf, 'rack/protection/json_csrf'`
initial commit 2011-05-23 10:07:54 +02:00			`autoload :PathTraversal, 'rack/protection/path_traversal'`
			`autoload :RemoteReferrer, 'rack/protection/remote_referrer'`
			`autoload :RemoteToken, 'rack/protection/remote_token'`
typo 2011-05-25 11:57:25 +02:00			`autoload :SessionHijacking, 'rack/protection/session_hijacking'`
initial commit 2011-05-23 10:07:54 +02:00			`autoload :XSSHeader, 'rack/protection/xss_header'`

			`def self.new(app, options = {})`
remove NoReferrer, instead, take an option for that 2011-06-20 13:08:39 +02:00			`# does not include: RemoteReferrer, AuthenticityToken and FormToken`
initial commit 2011-05-23 10:07:54 +02:00			`except = Array options[:except]`
Introducing :use 2013-01-21 18:16:28 +07:00			`use_these = Array options[:use]`
initial commit 2011-05-23 10:07:54 +02:00			`Rack::Builder.new do`
Introducing :use 2013-01-21 18:16:28 +07:00			`use ::Rack::Protection::RemoteReferrer, options if use_these.include? :remote_referrer`
			`use ::Rack::Protection::AuthenticityToken,options if use_these.include? :authenticity_token`
			`use ::Rack::Protection::FormToken, options if use_these.include? :form_token`
Use more specific namespace declaration in Rack::Builder configuration. 2011-11-21 16:27:54 +01:00			`use ::Rack::Protection::FrameOptions, options unless except.include? :frame_options`
Use HTTP Origin by default 2012-01-30 15:57:25 +07:00			`use ::Rack::Protection::HttpOrigin, options unless except.include? :http_origin`
Use more specific namespace declaration in Rack::Builder configuration. 2011-11-21 16:27:54 +01:00			`use ::Rack::Protection::IPSpoofing, options unless except.include? :ip_spoofing`
			`use ::Rack::Protection::JsonCsrf, options unless except.include? :json_csrf`
			`use ::Rack::Protection::PathTraversal, options unless except.include? :path_traversal`
			`use ::Rack::Protection::RemoteToken, options unless except.include? :remote_token`
			`use ::Rack::Protection::SessionHijacking, options unless except.include? :session_hijacking`
			`use ::Rack::Protection::XSSHeader, options unless except.include? :xss_header`
initial commit 2011-05-23 10:07:54 +02:00			`run app`
			`end.to_app`
			`end`
			`end`
			`end`